Microsoft Smartscreen and Application Reputation

When you Download one of our products, you may receive a warning from your anti-virus software about the safety of the download.

Code Signing Certificates, along with MS SmartScreen technology, protect users from downloading infected applications and malware.

What is “Application Reputation”?

Software downloaded from the Internet is similar to people on the Internet— it’s hard to tell which ones are dodgy, at least without help. That’s where “application reputation” technology comes in.

Application reputation is a method employed by Microsoft’s SmartScreen® filter to distinguish good software from bad software as it is downloaded from the Internet.

Reputation works similarly to the way we develop trust in other people—we study them over the course of multiple encounters or, if we don’t have prior experience with them, we rely on others for information about their reputation.

Blacklists and whitelists

One way to tell if an application has a bad reputation is to check whether its fingerprint is on a blacklist.

Just like the FBI, most anti-virus (AV) systems maintain databases of fingerprints belonging to malicious software. Whenever a new bad actor appears, its fingerprint is added to the AV database. This works in most cases. However, just like in the movies, some bad actors change their faces and fingerprints to escape detection.

How do they do this? They make a slight change or variation in code in order to hide it from AV programs. Some of these are referred to as “polymorphic,” meaning that they can change their appearance in multiple ways. Just like a mutating virus, each time they run, they can potentially spawn into up to a million different varieties.

So, blacklisting bad code quickly becomes a losing battle when you’re fighting against polymorphic malware.

A whitelist is another technique for determining application reputation. Well-known code that has proven itself harmless over the years can be whitelisted.

When known software with a good reputation tries to install or run on a machine where it has been whitelisted, the system can allow it.

But what about new software? How does SmartScreen® identify new software as good or bad?

How Does SmartScreen® Work with new Applications?

Internet Explorer’s SmartScreen feature uses a variety of signals to evaluate the reputation of a given download. This includes the download history and popularity, anti-virus results, reputation of the site it has been delivered from, and more. 

Why should developers sign their code?

Although not a requirement, it is highly recommended that developers who distribute applications online sign their code to establish reputation. 

Code signing is an industry best practice

It allows consumers to authenticate that files signed by a publisher are actually from that publisher.

Code signing prevents malicious tampering

Signing also helps ensure that files cannot be secretly tampered with while stored on a server or during the download process.

Without a digital signature, there is no way for a user to validate who actually created the file. Malware authors commonly exploit this threat in their social engineering attacks.

A warning

Of course, the presence of a digital signature alone does not ensure a download is non-malicious.

Digitally signing applications is not a guarantee that an application download will have an established reputation immediately. But it can play an important part in ensuring that applications receive the reputation they deserve. 

If the author or publisher has not yet established a reputation of trust, a warning can still appear. This can happen even if the software has been signed with a regular code-signing certificate.

As the software or its publisher becomes established and gains a good reputation, the likelihood of a warning diminishes.

More info

Find out more on Microsoft’s page on this topic by clicking here.